diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD
index 97b595f1ab7..8a9f8daf39c 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD
@@ -22,6 +22,7 @@ go_library(
         "//staging/src/k8s.io/apimachinery/pkg/api/meta:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
         "//vendor/k8s.io/klog:go_default_library",
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index eb0ed61003b..8dd4ef80a9b 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -22,6 +22,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
@@ -486,8 +487,6 @@ func ClusterRoles() []rbacv1.ClusterRole {
 
 	if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) {
 		// Add the cluster role for reading the ServiceAccountIssuerDiscovery endpoints
-		// but do not bind it explicitly. Leave the decision of who can read it up
-		// to cluster admins.
 		roles = append(roles, rbacv1.ClusterRole{
 			ObjectMeta: metav1.ObjectMeta{Name: "system:service-account-issuer-discovery"},
 			Rules: []rbacv1.PolicyRule{
@@ -575,6 +574,20 @@ func ClusterRoleBindings() []rbacv1.ClusterRoleBinding {
 		},
 	}
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) {
+		// Allow all in-cluster workloads (via their service accounts) to read the OIDC discovery endpoints.
+		// Users with certain forms of write access (create pods, create secrets, create service accounts, etc)
+		// can gain access to a service account identity which would allow them to access this information.
+		// This includes the issuer URL, which is already present in the SA token JWT.  Similarly, SAs can
+		// already gain this same info via introspection of their own token.  Since this discovery endpoint
+		// points to what issued all service account tokens, it seems fitting for SAs to have this access.
+		// Defer to the cluster admin with regard to binding directly to all authenticated and/or
+		// unauthenticated users.
+		rolebindings = append(rolebindings,
+			rbacv1helpers.NewClusterBinding("system:service-account-issuer-discovery").Groups(serviceaccount.AllServiceAccountsGroup).BindingOrDie(),
+		)
+	}
+
 	addClusterRoleBindingLabel(rolebindings)
 
 	return rolebindings